what difference between tls authentication and tls-external authentication

[barryzhounb]

We is using our own Clients CA, I follow the below steps, basically it works. But I am confused the difference between tls authentication and tls-external authentication, so write this question to ask.

STEP 1: I install our own Clients CA by followed https://strimzi.io/docs/operators/latest/full/using.html#installing-your-own-ca-certificates-str with our own root CA and key.

STEP 2: Generate a CSR for user-1, then sign this CSR with setting subject in the form CN=user-1 by our own root CA, then we get user-1's certificate and its key. Then we convert it pkcs12 and store in user keystore with jks format.

STEP 3: Create a KafkaUser with type: tls

STEP 4: connect to kafka

The above works well.

Please note that here we use tls authentication rather than tls-external, it still works.

My question is:
(1) Use our clients CA, but set tls authentication, it still works. Is this result as expected?

(2) I read Strimiz document, it recommends - if we use our own client CA, we can set tls-external authentication. In this case, what difference between tls authentication and tls-external authentication?

[scholzj]

• If you use type: tls, the User Operator will generate a secret with new certificate by the CA.
• If you use type: tls-external, the user operator will not create the new certificate and you are expected to generate the certificate yourself in whatever way you want.

If you provided both public and private key for the Clients CA, then yes, both methods will work at the same time. But if you want to use your own certificate you generated somewhere else, you do not want in your Kube cluster some secret with another certificate which can be used for authentication.

[barryzhounb]

Thank you @scholzj , you are always promptly response.